PE_XPAJ: Persistent File Infector

We’re currently investigating several file infectors that have affected several countries, particularly Australia. Trend Micro detects these as PE_XPAJ.C, PE_XPAJ.C-1, PE_XPAJ.C-2, and PE_XPAJ.C-O.

Based on our initial analysis, these PE_XPAJ variants connect to the following C&C servers to send and receive information:

The infected file (detected as PE_XPAJ variants) is capable of downloading randomly generated encrypted filename for its mother and loading it to the memory. As such, the copy of the mother file can be found in Windows folder using random file name and extension. Users will notice the re-infection once these encrypted files exist again in the said Windows folder and use the same filename and extension that was employed before.

PE_XPAJ variants infect EXE, .SCR, .DLL and .SYS files. They also infect the Master Boot Record (MBR) to automatically load itself before the OS loads. One of their payloads is click fraud. These variants have the capability to redirect users to ad-clicking scam, to generate profit for the cybercriminals.

Based on our Smart Protection Network, the following are the top countries affected by this threat:

Australia

India

Japan

Italy

United States

We’ll update this entry with recent developments on this threat.

Update as of 7:30 PM, October 23, 2012, PDT

How to determine if your system is infected by PE_XPAJ

There are two ways that users and system administrators can use to see if a system has been infected by PE_XPAJ variants. First of all, it will communicate with the command-and-control servers listed above. Secondly, certain files can be found in the Windows directory. This is because PE_XPAJ variants can download its mother file and load it into the memory. As such, a copy of the encrypted mother file can be found in the Windows folder using a random file name and extension.

Users will know that they have been re-infected once these encrypted files exist again in the said folder and use the same name and extension that was used before. Typically, 6-9 files will be present.

This information can be used to easily determine if your system is infected. If the two behaviors below are present, a PE_XPAJ infection is present.

Update as of 4:17 PM, October 24, 2012, PDT

We spotted the following additional C&C servers where PE_XPAJ connects to:

Update as of 9:31 AM, October 25, 2012, PDT

Trend Micro created a Rescue Disk tool to clean systems infected with PE_XPAJ.C.

The tool includes aggressive detections Cryp_Xin14 and PE_XPAJ.C-1, which are not available in Official Pattern Release.

Below are the tool’s capabilities:

Clean infected MBR (Master Boot Record)

Clean files infected by the malware PE_XPAJ.C-1

Delete files detected as Cryp_Xin14

This tool uses a pattern designed only for PE_XPAJ.C-1 and Cryp_Xin14. If system is infected with other malware, users may need to update their Trend Micro software with the latest pattern file. Files that are not cleaned but detected by the Rescue Disk will be quarantined.

PE_XPAJ.C propagates via mapped drives or shared folders. Affected users are recommended to disable their network shares immediately. Users are also advised to block related malicious URLs and if possible to add in the HOSTS file.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware: